Professional Documents
Culture Documents
Microsoft Corporation
Published: February 2009
Abstract
This document covers many new and changed Windows 7 features of interest to IT professionals,
including DirectAccess, BranchCache and other networking technologies, VHD boot and other
deployment technologies, and AppLocker, Biometrics, and other security technologies.
Copyright Information
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,
Windows Vista, and Windows Server are trademarks of the Microsoft group of companies.
Note
For a downloadable version of this document, see Windows 7 Beta Guides.
7
applications are allowed to run on end user PCs, providing yet another way to limit the risk of
malicious software.
8
See Also
Springboard Series for Windows 7
Important
AppLocker rules specify which files are allowed to run. Files that are not included in
rules are not allowed to run.
• Assign a rule to a security group or an individual user.
Note
You cannot assign AppLocker rules to Internet zones, individual computers, or
registry paths.
• Create exceptions for .exe files. For example, you can create a rule that allows all
Windows processes to run except Regedit.exe.
• Use audit-only mode to identify files that would not be allowed to run if the policy
were in effect.
• Import and export rules.
9
• Reduce the total cost of ownership by ensuring that workstations are homogeneous
across their enterprise and that users are running only the software and applications that
are approved by the enterprise.
• Reduce the possibility of information leaks from unauthorized software.
AppLocker may also be of interest to organizations that currently use Group Policy objects
(GPOs) to manage Windows-based computers or have per-user application installations.
Note
At least one Windows Server 2008 R2 domain controller is required to host the
AppLocker rules.
11
points that offers a more consistent user experience across devices and applications. The
Windows Biometric Framework also includes management functions that allow administrators to
control the deployment of biometric fingerprint devices in the enterprise.
12
To manage domain Group Policy, you must first install the GPMC. The GPMC is included with
RSAT, which is available for download:
• Windows Server 2008 R2 Remote Server Administration Tools for Windows 7
• Windows Server 2008 Remote Server Administration Tools for Windows Vista with
SP1
RSAT enables IT administrators to remotely manage roles and features in Windows
Server 2008 R2 from a computer that is running Windows 7. RSAT includes support for the
remote management of computers that are running either a Server Core installation or the full
installation option of Windows Server 2008 R2. The functionality RSAT provides is similar to
Windows Server 2003 Administration Tools Pack.
Installing RSAT does not automatically install the GPMC. To install the GPMC after you install
RSAT, click Programs in Control Panel, click Turn Windows features on or off, expand
Remote Server Administration Tools, expand Feature Administration Tools, and select the
Feature Administration Tools and Group Policy Management Tools check boxes.
13
Policy Management Console (GPMC). To help you perform these tasks, Group Policy in Windows
Server 2008 R2 provides more than 25 cmdlets. Each cmdlet is a simple, single-function
command-line tool.
You can use the Group Policy cmdlets to perform the following tasks for domain-based Group
Policy objects (GPOs):
• Maintaining GPOs: GPO creation, removal, backup, and import.
• Associating GPOs with Active Directory® containers: Group Policy link creation,
update, and removal.
• Setting inheritance flags and permissions on Active Directory organizational units
(OUs) and domains.
• Configuring registry-based policy settings and Group Policy Preferences Registry
settings: Update, retrieval, and removal.
• Creating and editing Starter GPOs.
Note
For more information about the Group Policy cmdlets, you can use the Get-Help<cmdlet-
name> and Get-Help<cmdlet_name>-detailed cmdlets to display basic and detailed
Help.
14
Setting Location Default Possible values
name value
15
Setting Location Default Possible values
name value
16
Additional references
• Windows PowerShell Technology Center: This Web site is an entry point for Windows
PowerShell documentation, such as information about deployment, operations, training,
support, and communities.
• Windows PowerShell blog: This Web site is an entry point for Windows PowerShell
blogs that includes information about current Windows PowerShell developments, best
practices, training, and other resources.
• Group Policy Technology Center: This Web site is an entry point for Group Policy
documentation, such as information about deployment, operations, training, support, and
communities.
• Group Policy Settings Reference: This document lists Group Policy settings
described in administrative template (ADMX) files and security settings. This spreadsheet
includes all administrative template policy settings for Windows Server 2008 R2 and
Windows Vista.
17
and immediate tasks for Windows 7, Windows Server 2008, and Windows Vista; and Windows
Internet Explorer 8.
19
Starter Group Policy Objects
20
What works differently?
You no longer have to download these System Starter GPOs because they are included in
Windows Server 2008 R2 and Windows 7 with RSAT.
Additional references
• For more information about the EC and SSLF client scenarios for Windows Vista and
the recommended policy settings, see the Windows Vista Security Guide
(http://go.microsoft.com/fwlink/?LinkID=121852).
• For more information about the EC and SSLF client scenarios for Windows XP and
the recommended policy settings, see the Windows XP Security Guide
(http://go.microsoft.com/fwlink/?LinkID=121854).
21
Additionally, the Explain field, which provides additional information about a policy setting, is now
called Help.
22
• Support for handwriting recognition, personalization, and text prediction in new
languages.
• Support for handwritten math expressions.
• Personalized custom dictionaries for handwriting recognition.
• New integration capabilities for software developers.
In Windows Vista, handwriting recognition is supported for eight Latin languages: English (United
States and United Kingdom), German, French, Spanish, Italian, Dutch, and Brazilian Portuguese,
and four East Asian languages: Japanese, Chinese (Simplified and Traditional), and Korean. For
Windows 7, 14 additional languages are supported: Norwegian (Bokmål and Nynorsk), Swedish,
Finnish, Danish, Polish, Portuguese (Portugal), Romanian, Serbian (Cyrillic and Latin), Catalan,
Russian, Czech, and Croatian. Windows 7 users can launch the Tablet Input Panel (TIP), write in
their desired language for which a recognizer is available, and insert the converted, recognized
text into applications such as Microsoft Outlook® or Word.
In Windows Vista, personalization for handwriting recognition is supported only for United States
English and United Kingdom English for the Latin languages. For Windows 7, six additional Latin
languages for which base recognizers shipped in Windows Vista will receive the benefits of the
Personalization features. Additionally, personalization will be included for all 14 new languages in
Windows 7. Personalization improves a user's handwriting experience significantly as the
recognizer learns how and what a user writes.
When using the soft (on-screen) keyboard in Windows 7, Text Prediction helps you enter text
more efficiently. Users typing a few letters will be offered a list of words that match. Based on the
words users input frequently and the corrections that they make, Windows 7 will become even
better at predicting what a user types over time. When using the soft keyboard, Windows 7
supported languages for Text Prediction are expanded beyond the support of United States
English and United Kingdom English in Windows Vista to include the following: French, German,
Italian, Korean, Simplified Chinese, Traditional Chinese, and Japanese. New languages
supported for Text Prediction with pen input include Simplified Chinese and Traditional Chinese.
Text Prediction for Simplified Chinese and Traditional Chinese offers both word completion and
next word prediction. Users will benefit from this feature as it significantly speeds up handwriting
input for these languages.
Windows 7 enables users who work with math expressions to use handwriting recognition to input
math expressions via the Math Input Panel, a new accessory. The Math Input Panel recognizes
handwritten math expressions, provides a rich correction experience, and inserts math
expressions into target programs. Math Input Control, which offers the same recognition and
correction functionality, enables developers to integrate math handwriting recognition into
programs directly for a higher degree of control and customization.
In Windows Vista, the ability of users to add a new word to the built-in dictionaries is limited.
Windows 7 allows users to create custom dictionaries, enabling them to replace or augment the
built-in vocabulary by using their own specialized wordlists.
Windows 7 exposes many Tablet PC enhancements for access by software developers, so they
can make their applications more useful. For example, updated Ink Analysis APIs in Windows 7
enhance and accelerate the development of ink-enabled applications—and make it easier to
23
integrate basic shape recognition features. Through these capabilities, users will benefit from
more options in programs that can use the unique capabilities of a Tablet PC.
24
What does DirectAccess do?
With the DirectAccess feature introduced in Windows Server 2008 R2, domain member
computers running Windows 7 can connect to enterprise network resources whenever they
connect to the Internet. During access to network resources, a user connected to the Internet has
virtually the same experience as if connected directly to an organization's local area network
(LAN). Furthermore, DirectAccess enables IT professionals to manage mobile computers outside
of the office. Each time a domain member computer connects to the Internet, before the user logs
on, DirectAccess establishes a bi-directional connection that enables the client computer to stay
up to date with company policies and receive software updates.
Security and performance features of DirectAccess include authentication, encryption, and
access control. IT professionals can configure the network resources to which each user can
connect, granting unlimited access or allowing access only to specific servers or networks.
DirectAccess also offers a feature that sends only the traffic destined for the enterprise network
through the DirectAccess server. Other Internet traffic is routed through the Internet gateway that
the client computer uses. This feature is optional, and DirectAccess can be configured to send all
traffic through the enterprise network.
25
to access IPv4 resources on the enterprise network. IPv6 or transition technologies must
be available on the DirectAccess server and allowed to pass through the perimeter
network firewall.
26
What does URL-based QoS do?
QoS marks IP packets with a Differentiated Services Code Point (DSCP) number that routers
then examine to determine the priority of the packet. If packets are queued at the router, higher
priority packets are sent before lower priority packets. With URL-based QoS, IT professionals can
prioritize network traffic based on the source URL, in addition to prioritization based on IP address
and ports. This gives IT professionals more control over network traffic, ensuring that important
Web traffic is processed before less-important traffic, even when that traffic originates at the same
server. This can improve performance on busy networks. For example, you can assign Web traffic
for critical internal Web sites a higher priority than external Web sites. Similarly non-work-related
Web sites that can consume network bandwidth can be assigned a lower priority so that other
traffic is not affected.
27
What's New in Service Accounts
One of the security challenges for critical network applications such as Exchange and IIS is
selecting the appropriate type of account for the application to use.
On a local computer, an administrator can configure the application to run as Local Service,
Network Service, or Local System. These service accounts are simple to configure and use but
are typically shared among multiple applications and services and cannot be managed on a
domain level.
If you configure the application to use a domain account, you can isolate the privileges for the
application, but you need to manually manage passwords or create a custom solution for
managing these passwords. Many SQL Server and IIS applications use this strategy to enhance
security, but at a cost of additional administration and complexity.
In these deployments, service administrators spend a considerable amount of time in
maintenance tasks such as managing service passwords and service principal names (SPNs),
which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt
service.
28
What are the benefits of new managed service
accounts?
In addition to the enhanced security that is provided by having individual accounts for critical
services, there are four important administrative benefits associated with managed service
accounts:
• Managed service accounts allow administrators to create a class of domain accounts
that can be used to manage and maintain services on local computers.
• Unlike with regular domain accounts, the network passwords for these accounts will
be reset automatically, freeing the administrator from having to reset these passwords
manually.
• Unlike with normal local computer and user accounts, the administrator does not
have to complete complex SPN management tasks to use managed service accounts.
• Administrative tasks for managed service accounts can be delegated to non-
administrators.
29
automatically. However, the domain administrator using these server operating systems
will still need to manually configure SPN data for managed service accounts.
To use managed service accounts in Windows Server 2008, Windows Server 2003, or mixed-
mode domain environments, the following schema changes must be applied:
• The service account schema must be applied at the forest level.
• The schema must be changed at the domain level to create the default Managed
Service Account container.
For more information, see Extending the Schema.
For more information about managing SPNs, see Service Principal Names.
30
media by turning on BitLocker and then choosing the smart card option to unlock the
drive. At run time, Windows retrieves the correct minidriver for the smart card and allows
the operation to complete.
• Smart card domain logon by using the PKINIT protocol. In Windows 7, the
correct minidriver for a smart card is retrieved automatically, enabling a new smart card to
authenticate to the domain without requiring the user to install or configure additional
middleware.
• Document and e-mail signing. Windows 7 users can rely on Windows to retrieve
the correct minidriver for a smart card at run time to sign an e-mail or document. In
addition, XML Paper Specification (XPS) documents can be signed without the need for
additional software.
• Use with line-of-business applications. In Windows 7, any application that uses
Cryptography Next Generation (CNG) or CryptoAPI to enable the application to use
certificates can rely on Windows to retrieve the correct minidriver for a smart card at run
time so that no additional middleware is needed.
31
• Increase the number of tasks that the standard user can perform that do not prompt
for administrator approval.
• Allow a user with administrator privileges to configure the UAC experience in the
Control Panel.
• Provide additional local security policies that enable a local administrator to change
the behavior of the UAC messages for local administrators in Admin Approval Mode.
• Provide additional local security policies that enable a local administrator to change
the behavior of the UAC messages for standard users.
32
• Internet Explorer prompts for running application installers are merged.
• Internet Explorer prompts for installing ActiveX® controls are merged.
The default UAC setting allows a standard user to perform the following tasks without receiving a
UAC prompt:
• Install updates from Windows Update.
• Install drivers that are downloaded from Windows Update or included with the
operating system.
• View Windows settings. (However, a standard user is prompted for elevated
privileges when changing Windows settings.)
• Pair Bluetooth devices to the computer.
• Reset the network adapter and perform other network diagnostic and repair tasks.
33
Actions Only notify me when programs Always notify me
try to make changes to my
computer
34
Change the behavior of UAC messages for standard users
If you are logged on as a local administrator, you can change the behavior of UAC prompts in the
local security policies for standard users.
• Automatically deny elevation requests. Administrator applications cannot run. The
user receives an error message that indicates a policy is preventing the application from
running.
• Prompt for credentials. This is the default setting. For an application to run with the
full administrator access token, the user must enter administrative credentials in the User
Account Control dialog box that is displayed on the desktop.
• Prompt for credentials on the secure desktop. For an application to run with the
full administrator access token, the user must enter administrative credentials in the User
Account Control dialog box that is displayed on the secure desktop.
35
For more information about using Virtual Hard Disks for Native Boot in Windows 7, see the
Walkthrough: Deploy a Virtual Hard Disk for Native Boot topic in the Windows Automated
Installation Kit for Windows 7 Beta.
36
What are the dependencies?
The steps for deploying a Windows 7 or Windows Server 2008 R2 image to a VHD file depends
on the Windows deployment tools, including imagex.exe. Imagex.exe is used to capture a
Windows operating system partition into a Windows Image (.wim) file format, and to apply a .wim
file to a file system partition, which may reside inside a VHD file.
The imagex.exe deployment tool is one of the tools distributed in the Windows Automated
Installation Kit (Windows AIK). The Windows 7 Beta version of the Windows AIK must be
installed to get the deployment tools and is available for download from the Windows Automated
Installation Kit for Windows 7 Beta.
The Windows AIK download is an ISO image that you burn to a DVD and then install on your
system. After installing the Windows AIK, the ImageX command line tool is located in the
Windows AIK\PE Tools directory.
Native boot of Windows 7 from a VHD file also requires the Windows 7 boot environment. The
Windows 7 boot environment is initialized during a full operating system installation and includes
the Windows Boot Manager and Boot Configuration Data (BCD) and other supporting files.
37
Windows® 7 includes Windows PowerShell 2.0. It also includes other cmdlets, providers, and
tools that you can add to Windows PowerShell so that you can use and manage other Windows
technologies such as Active Directory® Domain Services, Windows® BitLocker™ Drive
Encryption, the DHCP Server service, Group Policy, Remote Desktop Services, and Windows
Server Backup.
38
• Advanced functions. Advanced functions behave just like cmdlets, but they are
written in the Windows PowerShell scripting language instead of in C#.
• Script internationalization. Scripts and functions can display messages and Help
text to users in multiple languages.
• Online Help. In addition to Help at the command line, the Get-Help cmdlet has a new
Online parameter that opens a complete and updated version of each Help topic on
Microsoft TechNet.
Remote Management
Windows PowerShell remote management lets users connect to and run Windows PowerShell
commands on all of their computers. IT professionals can use it to monitor and maintain
computers, distribute updates, run scripts and background jobs, collect data, and make uniform,
optimized changes to one computer or to hundreds of computers.
Modules
Windows PowerShell modules make it easier for cmdlet and provider authors to organize and
distribute tools and solutions. And, they make it easier for users to install the tools and add them
to their Windows PowerShell sessions. IT professionals can use modules to distribute tested and
39
approved solutions throughout their enterprise and share them with other professionals in the
community.
Transactions
Windows PowerShell transactions let you use Windows PowerShell to make changes that might
have to be rolled back or committed as a unit, such as database updates and changes to the
registry.
Note
Indexing of uncached e-mail is also known as classic online e-mail. In Windows® 7 there
is less impact on Microsoft Exchange Server when indexing uncached e-mail. In contrast
to uncached or classic online e-mail, cached e-mail uses a local Offline Folder file (.ost)
to keep a local copy of your Exchange Server mailbox on your computer, which permits
indexing of e-mail locally.
41
• The importance of file storage encryption to your organization.
• The importance of e-mail encryption and signing to your organization.
Improvements in the performance and user The navigation is better organized and more
interface of Windows Explorer intuitive, everyday tasks are easier to access,
and there are numerous improvements in the
presentation of end user content.
The introduction of libraries to help with Libraries make it quicker and easier to find files.
organization Built on the existing My Documents
experience, libraries work like folders do but
have additional functionality. In addition to
browsing files by using the hierarchical folder
structure, you can also browse metadata such
as date, type, author, and tags. Users can
include files from multiple storage locations in
their libraries without having to move or copy
the files from original storage locations.
The introduction of federated search and Windows 7 enables searching for content on
search connectors remote indices. Integrating federated search
into Windows gives users the benefits of using
familiar tools and workflows to search remote
42
Feature New in Windows 7
Indexing of uncached (classic online) e-mail Before users can search for e-mail, the
Windows indexing service must index the e-mail
store, which involves collecting the properties
and content of e-mail items within the store.
This initial indexing is later followed by smaller
incremental indexing (as e-mail arrives, is read,
and deleted, and so on) to keep the index
current. Windows 7 minimizes the impact on the
server running Exchange Server by reducing
the number of remote procedure calls (RPC)
required to index e-mail messages and
attachments. Because e-mail messages are
indexed in native formats (HTML, RTF, and text)
there is no load on the server to convert mail
types. Windows indexes public folders only
when they are cached locally.
Support for indexing encrypted files Windows 7 fully supports indexing encrypted
files on local file systems, allowing users to
index and search the properties and contents of
encrypted files. Users can manually configure
Windows to include encrypted files in indexing,
or administrators can configure this by using
Group Policy.
43
Feature New in Windows 7
Support for indexing digitally signed e-mail Windows 7 allows users to search all content in
digitally signed e-mail messages. This includes
the message body and any attachments.
A computer that is running Windows Vista
Service Pack 1 (SP1) and Windows Search 4.0
functions as follows:
• Users can search all digitally signed
e-mail messages that they have sent.
This search includes all message
content.
• Users can search all digitally signed
e-mail messages that they have
received. However, these searches are
limited to certain properties, such as
subject, sender, or recipients. Users
cannot search the message body or
attachment contents.
Note
Windows 7 does not support indexing the content of encrypted e-mail messages or any
S/MIME receipts that are received on S/MIME signed messages that you send.
44